Why do Criminals go After Online Retailers?

Many online businesses, e-commerce and online retailers still seriously underestimate the [black] market value of the data they possess and handle. Consequently the risks of cyberattacks and importance of information security in general are also significantly underestimated.

The main reason for such behavior is that e-business owners have a very serious lack of information about the “dark side” of the internet, many are not even aware about recurrent data theft from their databases. But let’s start from the beginning.

First of all, e-business owners should remember that cyber criminals are also businessmen, who know how to make money. Customer databases from online stores are one of the most expensive on the black market, because they usually have correct, up2date and complete details about their customers, sometimes even their credit card numbers.

Completeness is a very important factor for [databases] pricing on the black market. Even spammers prefer to purchase personal records from an online shop rather than from a blog or free forum. This is simply because they may better target their subsequent spam emails for a higher click through rate, which consequently generates more income. Obviously, cybercriminals who make money via credit card or identity theft need as much information about their victims as they can obtain. Therefore customers of online stores are perfect targets for them.

Don’t forget that customers of European and US online stores are usually reasonably well-off and may host a good amount of valuable information on their computers. Such information may be used directly by the hackers or be (re)sold on the black market.

This is why quite often e-commerce websites are infected with a malware (an exploit pack targeting and exploiting vulnerabilities in Adobe products or popular browsers) during one night or over a weekend to get control over website visitors’ PCs while the IT security team is “off duty.” Such attacks often remain unnoticed - professional hackers will do their best to go under the radar, and you may not even have any clue that your online shop or database was compromised.

As we hear about attacks on the Targets and eBays of this world, many SME e-business owners gain a false sense of security, believe that they will not be attacked as their customer databases are not big or interesting enough to hackers.

This assumption is wrong because in the majority of cases hackers are not looking for customers and data from a specific web shop, they are just looking for [commercially] exploitable data. It’s much easier, faster and cheaper to hack 50 small e-boutiques than hack one major e-commerce operation, moreover the outcome [number of stolen customer records] will be almost the same, probably even bigger.

Hackers have bots that crawl tens of thousands of e-commerce website for known vulnerabilities, lists of websites as well as vulnerabilities-to-check are being updated weekly or even daily. So, it’s enough that your website is hosted on shared hosting, has an outdated CMS or vulnerable third-party code to get compromised by a bot that will download your databases, install a backdoor, clean the logs and continue crawling. Ninety percent of such hacks are missed by all popular web security scanning services that give “Website verified – 100 percent secure” labels to customers.

Dealing with a security breach

If you do notice that your website has been hacked, immediately notify your web hosting company and temporarily shut down your website.

Immediately change all passwords and copy access logs to secure local storage. They will help in the future to determine how hackers got in and to trace the attackers.

It is very important to understand if the attack against your website was targeted or not. Contact a local security company or a local CERT (Computer Emergency Response Team) to get competent advisers and assistance in the forensics process. Your web hosting company should also be able to help you by analyzing logs and abnormal activities around your website. As soon as you can reconstruct an image of the security incident you should take the following steps:

Fix the hole: Once you know how your website was compromised, patch the vulnerability or weakness hackers used to get in.

Inform relevant customers: If your customers’ personal data was compromised, notify affected customers and ask them to change all of their passwords as soon as possible.

Report the hack: Depending on your country’s cybercrime legislation, you may wish to deposit a criminal complaint against the attackers even if they are hidden behind a chain of proxy servers. However, don’t be too optimistic as, due to a lack of inter-government collaboration and different laws in almost every country, many of these crimes remain forever unsolved.

Put vulnerability testing in place: The only efficient solution is to regularly hire qualified ethical hackers who will manually check the security of your website, behaving and thinking like hackers but working for you and for your interests. SMBs probably don’t need to invest in costly on-site penetration testing consultancy services. An alternative is on-demand penetration testing, such as ImmuniWeb, which provides automated scanning of a website combined with penetration tester expertise. Two good guides giving advice on the selection of security assessment vendors/providers are written by Alexander Michael: “You may think you have never been hacked... you just have not realized it yet” and Viktor Polic: “The quest for weak links in information security”.

In short, if you are running an e-commerce website you will probably be attacked at some stage. How you deal with an attack and what you do to prevent another one will determine how much time your site is down and how many customers you alienate.